The FBI tells CNET that the IPv6 transition may require it to develop "additional tools" for surveillance.
FBI

The FBI is worried that an explosion of new Internet numeric addresses scheduled to begin next week may hinder its ability to conduct electronic investigations.

A historic switchover that will give the Internet a nearly inexhaustible supply of network addresses -- up from the current nearly exhausted total of 4.3 billion -- is planned for next Wednesday. AT&T, Comcast, Facebook, Google, Cisco, and Microsoft are among the companies participating.

Side effects from the transition to Internet Protocol version 6, or IPv6, "could have a profound effect on law enforcement," an FBI spokesman told CNET. "Additional tools" may need to be developed to conduct Internet investigations in the future, the spokesman said.

That's one reason the FBI recently formed a new unit, the Domestic Communications Assistance Center in Quantico, Va., which is responsible for devising ways to keep up with "emerging" technologies. CNET was the first to report on the formation of the center in an article last week.

While Wednesday's World IPv6 Day is only one step in the transition to the next-generation system, it's expected to mark the beginning of a gradual decline in popularity of the outgoing IPv4 standard. The participating Internet providers will begin to switch over a fraction of their residential subscribers on Wednesday, and router makers will enable IPv6 by default for their products. (Here's an IPv6 FAQ.)

That's what worries the FBI, which has been meeting quietly with Internet companies to figure out how its agents can maintain their ability to obtain customer records in investigations.

"This is a very real concern," says Jason Fesler, Yahoo's IPv6 evangelist. It will "impact a service provider's ability to readily respond to legal requests from law enforcement agencies," according to the Broadband Internet Technical Advisory Group, or BITAG, which counts AT&T, Cisco, Comcast, Time Warner Cable, Google, and Microsoft as members.

D-Link, the Taiwan-based company that's one of the largest makers of routers and networking gear worldwide, agrees. "D-Link is aware of potential issues concerning IPv6 and law enforcement concerns that are currently being assessed," a company spokesman said. "D-Link is committed to IPv6 support and will comply with any future guidelines."

The Internet engineers who recognized the need for more addresses as far back as the 1980s, and began sketching out what became IPv6 over two decades ago, didn't intend to create headaches for police agencies. Instead, it was an unintended consequence of the hybrid technologies that were created to allow IPv4 and IPv6 connections to share one network during the transition.

Once IPv6 is near-universally adopted, it's likely to prove a boon to police, a fact that some law enforcement representatives privately acknowledge. That's because each device -- tablets, phones, refrigerators, lawn-mowing robots, and so on -- will sport its own unique Internet address.

So far, the FBI is taking a wait-and-see approach to the transition, saying that "it is too early to know the extent of the impact of IPv6 upon law enforcement until more providers deploy it."

The bureau's concern about IPv6 is one component of what it calls the "Going Dark" problem, meaning that the surveillance capabilities of police may diminish as technology advances. CNET was the first to report that the FBI is asking Internet companies not to oppose a controversial proposal crafted in response to Going Dark that would extend the Communications Assistance for Law Enforcement Act (CALEA) to the Web.

FBI's CGN problem: the technical details
At the moment, if someone suspected of committing a crime is posting about it on Facebook, for instance, police can obtain a court order to trace an IPv4 Internet address such as 64.30.224.26 back to a single household.

But the exhaustion of IPv4 addresses is prompting many Internet providers to embrace a transitional technology called carrier-grade Network Address Translation, or CGN, that allows a single Internet address to be shared by hundreds of homes, or even an entire town, at the same time. It's common to have 1,000 people share one Internet address.

That means it's no longer enough to know that someone's publicly visible address is 64.30.224.26.

Facebook and other Web sites that want to trace a network connection back to a person -- for their own anti-abuse purposes or to assist law enforcement -- will need to log the IP address and also what's known as the port number. (Port numbers, such as assigning one household the range 12000-12009, are how hundreds of households can share a single Internet address simultaneously.)

In addition, an Internet provider using CGN also will have to keep logs of which port numbers map to which customer.

"You will need more," Keith O'Brien, a Cisco distinguished engineer, told the High Technology Crime Investigation Association this month. O'Brien said increased use of CGN "will require more information to be gathered in order to accurately identify a subscriber."

O'Brien suggested to his audience that, when conducting investigations, they should ask Web sites for the Internet address address, the exact time, and the source and destination ports that were in use.

Fesler, Yahoo's IPv6 evangelist, said that in addition to storing IP addresses, his employer is now recording the source port from which its users are connecting. "Only with the combination of time, address, and source port, will any Internet service provider have any chance of checking their logs, and associating that information back to a specific subscriber," he said.

Last summer, engineers from AT&T, Yahoo, and Juniper Networks jointly published "Logging Recommendations for Internet-Facing Servers," which the Internet Engineering Steering Group approved as a best-practices document called RFC 6302. It recommends that anyone operating a Web server record the source port number of inbound connections down to the precise second "to support abuse mitigation or public safety requests."

One inevitable side effect of all this extra logging is the expense: detailed logs consume an extraordinary amount of storage.

CableLabs, a research and development organization founded by the cable industry that counts representatives of Comcast, Rogers Communications, and Time Warner Cable on its board, says the log size is immense. It estimates the average subscriber opens 33,000 connections per day, which means 1.8 petabytes per year per million subscribers just for logging.

But, says Chris Donley, CableLabs' project director for network protocols, there's a way to chop log sizes. It involves assigning port ranges in advance to specific Internet addresses, which will reduce log volumes in the range of 100,000- to one million-fold, he estimates.

Law enforcement representatives like the idea, Donley says. "It will make it easier for ISPs to respond to public safety requests without requiring onerous infrastructure on either the ISP or public safety part," he said. "We've been meeting with a number of public safety agencies roughly quarterly to discuss this approach."

Not all Internet providers are using CGN. Comcast, for instance, has taken a different approach using what's known as a "dual stack," meaning their customers' computers will run IPv4 and IPv6 simultaneously.

Increased logging can also lead to privacy concerns. "We have urged providers not to log information that they don't need for their own provision of services, even if someone else might want the information or they hypothesize that it might be valuable someday," says Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation in San Francisco.

And mandatory logging -- required by an FBI-backed bill that a House of Representatives committee approved last year -- would be especially problematic for smaller Internet providers. "We couldn't retain records" even under the smaller data requirements of IPv4, says Brett Glass, owner of Lariat.net, a local Internet provider in Laramie, Wy. "There would be too much volume."

"There is no doubt that the wiretappers are being left behind and challenged," says one attorney who represents telecommunications providers. "It is just a question of whether you have an always-on storage of everyone's activity for law enforcement's benefit when the Federal Trade Commission is suing you for overcollection in other contexts, and less intrusive measures can be used."

Live IPv6 wiretaps
In theory, intercepting IPv6-only traffic isn't any different from intercepting IPv4 traffic. Readily available sniffing tools such as tcpdump, Ethereal, and Wireshark can decode IPv6 packets. In practice, however, some hurdles can arise.

CALEA: The 1994 law called CALEA resulted in industry standards requiring telecommunications companies to make their networks readily wiretappable by police. But those standards, including one element called CACmII (which stands for the awkwardly-titled phrase Content-Associated Communications Identifying Information), are incompatible with IPv6.

During a presentation at a networking conference last fall, AT&T researchers warned (PDF) that "the standards are steps behind the industry evolution" to IPv6.

Encryption: Any computer with IPv6 has built-in encryption called IPsec (which can also be available with IPv4). The New York Times reported in 2010 that the FBI was lobbying for a law requring telecommunications companies offering encryption to build in backdoors for law enforcement, a requirement that would likely cover IPsec, but the bureau distanced itself from that idea a few months later.

"The frequency of use should increase with IPv6," predicts a network engineer at Sonic.net, an Internet provider in Santa Rosa, Calif. "None of this is good news for law enforcement organizations."

But some of the technical details are challenging, and IPsec is still not widely used. Neither are HTTPS encrypted connections; Arbor Networks estimates that only 2 percent of native IPv6 traffic is HTTPS, not counting file sharing traffic.

Tunneling: A technology called Dual-Stack Lite, or DS-Lite, is designed to help with the transition by wrapping an IPv6 packet around an IPv4 packet, which can be faster than other methods.

It, too, can cause problems with wiretaps. An Internet draft published in March by representatives of Telecom Italia and France Telecom acknowledges DS-Lite can hinder eavesdropping. "A single IPv4 address, or some range of ports for each address, might be set aside for monitoring purposes to simplify such procedures," they recommend.

The FBI says it's paying close attention to these aspects of IPv6: "Some of the optional capabilities will determine whether existing law enforcement tools and techniques will continue to support lawfully authorized collections or additional tools will need to be developed."

About the author

Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio